TAO or Tailored Access Operations is the NSA’s team of ‘hacker’s hackers’. If normal information acquisition techniques don’t work, the NSA relies on TAO. The NSA allowed the chief of TAO to speak at Enigma about things that you can do to disrupt even Nation State hackers. While you are unlikely to implement all of his recommendations, it does give you a unique insight into the professional hacker’s mindset. The video, on Youtube, is 35 minutes long.

The conference of State Bank Supervisors published this guide, based on the NIST Cyber Security Framework. It provides an outline of the NIST recommended process. It is a good introduction to the NIST Framework for executives.

If you are a registered investment advisor or another entity regulated by the SEC or state regulators, cyber security is on their radar screen. The SEC, at least, is disappointed in how RIAs are dealing with the situation and at least one commissioner spoke up about it this summer.

The NYSE, working with Veracode, surveyed almost 300 board directors and executives of publicly traded companies to get their take on cyber liability. 90% say their company should be responsible for a breach, but they also say that their third party software vendors should be also.

Cyber-risk is a witch’s brew of reputational, operational, legal and financial dangers. As SEC Commissioner Luis A. Aguilar said last year, “Put simply, boards that lack an adequate understanding of cyber-risks are unlikely to be able to effectively oversee cyber-risk management.” To take it to the logical next step, if a board fails to properly oversee cyber-risk, then it not only puts the organization at risk, but also potentially makes itself liable.

20. NYSE Releases “Definitive Guide” For Directors and Officers of Public Companies

The New York Stock Exchange, in collaboration with about 40 authors, released a 350 page ebook collection of essays on cybersecurity for directors and officers of publicly traded companies. Since they are individual essays, they can be read separately as a reference source. It is available at no charge.

FINRA, The Financial Industry Regulatory Authority, created a report on recommended cyber security practices, with a few case studies, for entities that they regulate. While important for them, it is also quite useful for anyone concerned about cyber security in their business.

The long running PBS series Nova recently ran a program explaining the possibility of cyber warfare. The show discusses, among other examples, the DHS Aurora program that demonstrated how easy it would be to literally set an electrical generator on fire.

17. Navigating The Digital Age – The Definitive Guide for Directors and Officers

The New York Stock Exchange, in partnership with Palo Alto Networks and about 40 authors has published a free eBook on cyber risk management. The book, 300+ pages, provides a number of author’s opinions on cyber risk related topics. And, it’s free and downloadable.

A data breach related shareholder’s derivative lawsuit was filed in September 2015 naming Home Depot and 12 directors and officers and accusing them of “their fiduciary duties of loyalty, good faith, and due care by knowingly and in conscious disregard of their duties failing to ensure that Home Depot took reasonable meausres to protect its customers’ personal and financial information”. Even though historically these lawsuits have been hard to win, at some point one will succeed and even if they do not, defending against these lawsuits is expensive, time consuming and distracting.

In February 2015, The SEC put out a risk alert explaining the results of sweep examination of registered broker-dealers and investment advisors. This is part of the basis of another alert, released in September 2015, in which the SEC announced a new examination initiative and explaining exactly what areas they would be examining. This is useful guidance on where to focus your own cybersecurity initiatives, whether you are regulated by the SEC or not.

The office of the CIO of the state of California has published a Microsoft Word template that is a good starting point for creating an incident response plan. I strongly recommend that organizations do not attempt to boil the ocean at one time – create a simple plan that covers the major points and enhance it over time.

The SANS Institute, a well respected information security training and breach mitigation organization offers over 25 sample information security policy templates on their web site for free – no strings attached.

The SEC and DOJ have both released useful guidance this year. The SEC guidance was geared toward registered investment advisors and others in the finance sector, the recommendations are likely useful outside that industry. The DoJ documents address best practices for victim response and reporting of cyber incidents.

This article from InsideCounsel.com talks about why the first call I.T. should make if they believe the company has been hacked may be to counsel – even before calling the CEO. The article follows the case of Genesco v. Visa and how judicious application of privilege allowed the company to avoid disclosing certain information that likely would have had an adverse effect on litigation.

While you can spend an unlimited amount of money on cyber security, these 10 items are a great first step and will dramatically improve most organizations cyber risk posture – without spending a lot of money. Many companies already have the tools to do this – or free tools are often available – but they do need to prioritize and make sure that time is allocated to the technical staff to implement these recommendations.

This Reed Smith Client Alert provides guidance for in house counsel to mitigate risk related to cybersecurity of health care devices such as infusion pumps and blood gas analyzers, among many other computer controlled health care devices. The document provides links to relevant FDA documents, but more importantly, it contains a checklist of useful steps to prevent and respond to breaches. These steps are geared towards medical devices but most of the items are applicable to any company.

This is the checklist that comes with the book. The checklist is free, but not the book. This 15 page checklist covers a number of areas addressing development, operations, network security, cybersecurity, compliance and others.

Based on a survey of 214 dealmakers by international law firm Freshfields Bruckhaus Deringer, 90% of the respondents believe cyber breaches result in deal value reduction and 83% say they would abandon a deal mid transaction if cyber breaches are identified, but more than 75% say that cyber risk is not analyzed in depth during due diligence.